Overview

Why does this topic matter to organisations?

Under the Directive, organisations are obliged to deal with a separate DPA for each Member State whose laws apply to them. This has meant that businesses faced a range of inconsistent compliance requirements across the EU, often resulting in complexity and unpredictability. The GDPR is intended to create a more uniform approach to the regulation of data processing activities across the EU.

What types of organisations are most affected?

All organisations that are subject to the laws of multiple Member States are affected by the Consistency Mechanism and related rules regarding cooperation among DPAs, as set out below.

What should organisations do to prepare?

Organisations that operate in, or are subject to the laws of, multiple Member States should:

ensure that they understand the role of the "lead DPA" and the concept of the "One‑Stop-Shop" (see Chapter 14); and

ensure that they can identify the lead DPA and are familiar with the enforcement approach generally taken by the lead DPA.

Detailed analysis

Issue

The Directive

The GDPR

Impact

The core aim of the Consistency Mechanism is to ensure that EU data protection law is enforced uniformly across all Member States

Art.28(1)

Under the Directive, organisations operating in more than one Member State deal with the DPA in each Member State in which such an organisation operates.

Rec.132-134; Art.63, 64(2)

DPAs across all Member States are required to co‑operate with each other and with the EDPB and the Commission, to ensure consistent application of the GDPR.

The GDPR provides for mandatory cooperation between national DPAs and provides that cases considered to have an impact in more than one Member State may be referred to the EDPB. This should help to ensure that organisations face more consistent compliance requirements across the EU.

Opinion of the EDPB

Even if the applicable national data protection laws set similar standards across all Member States, enforcement requirements, attitudes, and standards may vary from Member State to Member State. Ensuring similar enforcement standards is a core issue for EU data protection law.

N/A

The Directive does not provide for DPAs to submit their decisions to a central authority.

Rec.136; Art.64

DPAs must submit a draft to the EDPB before taking any of the following measures:

specifying processing measures that should be subject to an Impact Assessment (see Chapter 12);

The EDPB may examine each such measure and issue an opinion where the matter in question affects multiple Member States. The relevant DPA must take "utmost account" of the EDPB's opinion in proceeding with its decision.

DPAs are required to submit to the EDPB decisions that are likely to affect data subjects or organisations in multiple Member States. In theory, this will ensure that DPAs take decisions in a manner that is consistent with the approach that the other affected DPAs would take on the same issues, resulting in a more consistent application of the law across the EU.

Involving the EDPB as a new step in the decision-making process may result in additional delays.

Dispute resolution by the EDPB

Where DPAs disagree with one another there is a risk of inconsistent application of data protection law across the EU. Allowing a central authority to make binding decisions reduces this risk.

N/A

The Directive does not provide for a central authority to make decisions that are binding on DPAs.

Rec.136; Art.65

Where DPAs disagree about key data protection law issues, the EDPB will issue a binding decision, which must then be adopted by the Concerned DPA(s) within one month of notification of the EDPB's decision.

Resolution of disputes by the EDPB should ensure a more consistent application of the GDPR.

Urgency procedure

One drawback of requiring DPAs to refer enforcement issues to a central authority is that this may lead to delays. In many cases, the delay might not prejudice the outcome of the proceedings, but there is a risk that, in some cases, it may do so. Therefore, there is a need to allow for more rapid decisions in cases of urgency.

N/A

The Directive does not directly address this issue.

Rec.137; Art.66

Where a DPA considers there to be an urgent need to act to protect data subjects' rights, it may immediately adopt provisional measures for up to three months. A full explanation should be provided to other Concerned DPAs, the EDPB and the Commission. Urgent opinions may also be requested from the EDPB.

This provision allows urgent measures to be taken by DPAs in exceptional circumstances. The inclusion of the EDPB in the decision-making process may result in delays, but the urgency procedure reduces this risk, to a certain extent.

Exchange of information

In order to ensure that EU data protection law is applied consistently, it is important to ensure that DPAs and the EDPB are communicating clearly.

N/A

The Directive does not directly address this issue.

Rec.116, 168; Art.47(3), 50, 60(1), 61(3), (9), 67, 70(c), (u)-(w)

The Commission may implement acts which specify arrangements for electronic exchange of information between DPAs and the EDPB. The EDPB may advise on these issues.

This provision is designed to ensure a free flow of information between Concerned DPAs and the EDPB.

Further analysis

Commentary: DPAs still have exclusive competence to regulate processing of data that only affects their own Member State

Under the GDPR, where an organisation's data processing activities only affect data subjects in a single Member State, only the DPA for that Member State has authority to enforce the GDPR against that organisation. For example, if a small business only processes the personal data of its own employees, and only has customers in its home Member State, it will generally only be regulated by its own DPA. However, a larger business that has customers all over the EU, may find itself subject to regulatory actions taken by multiple DPAs.

Organisations can minimise the difficulties that arise from dealing with multiple DPAs by ensuring that they benefit from the One‑Stop‑Shop (see Chapter 14).

Case law: Ability of DPAs to take action affecting other Member States

In October 2015, the CJEU issued its decision in the case of Weltimmo v Nemzeti(Case C-230/14). In that decision, the CJEU stated that each DPA is responsible for applying the Directive (as implemented through the national laws of Member States) in its own Member State. But where a controller in one Member State engages in processing affecting data subjects in another Member State, the DPA in the latter Member State may be able to take enforcement action against the controller (although only the DPA in the first Member State would have the power to fine the controller or issue formal sanctions against it).

The GDPR streamlines this approach by requiring DPAs to work together in cases of processing that affects multiple Member States (see Chapter 15). How this will work in practice remains to be seen.

Commentary: Oversight by the EDPB

Because the EDPB does not yet exist, and because the provisions governing the Consistency Mechanism and oversight by the EDPB are not effective yet, it is unclear how the EDPB will fulfil its role in resolving disputes between DPAs. Current practice indicates that there are likely to be many cases in which DPAs have different opinions about the correct application of EU data protection law (see, for example, the significantly divergent views of DPAs following the CJEU's decision in Schrems). Where DPAs disagree, the EDPB may be called in to adjudicate under Art.64. Given the potentially high numbers of disagreements, and the length of time it may take for DPAs and the EDPB to familiarise themselves with this mechanism, there may be delays until the EDPB's processes work smoothly.